VECT 2.0 Ransomware Flaw Wipes Data; DAEMON Tools Hit by Supply Chain Attack; Critical Linux Flaw Grants Root Access

Further details reveal the Instructure data breach, previously reported as a data exfiltration and extortion event, is now confirmed to be a ransomware attack by ShinyHunters. This indicates a double extortion tactic, where systems were likely encrypted for impact in addition to the theft of 3.65 TB of data affecting 275 million users. The threat actor has extended the ransom payment deadline to May 7, 2026, intensifying the pressure on Infrastructure Holdings Inc. The attack's scope and methods are more severe than initially understood, encompassing both data compromise and operational disruption, significantly increasing the incident's overall impact.

Attackers have quickly reverse-engineered the CVE-2026-41940 patch, leading to escalated mass exploitation. The 'Sorry' ransomware, a key payload, is now confirmed to wipe backups, significantly increasing its destructive potential. New intelligence indicates targeted attacks against government and military entities in Southeast Asia, as well as Managed Service Providers (MSPs) globally, including those in Australia, prompting an alert from the Australian Cyber Security Centre (ACSC). This highlights a growing supply chain risk, as compromise of an MSP can impact numerous downstream customers. Administrators are urged to not only patch but also assume compromise if not updated and rebuild from clean backups.

New details confirm Trellix serves over 50,000 customers and highlights similar breaches at Checkmarx and Cisco. The report also provides 'Cyber Observables - Hunting Hints' for customers, advising enhanced monitoring of Trellix ePO/XDR console logs, outbound agent traffic, and file integrity monitoring for any anomalous activity. Trellix maintains no evidence of impact to product release or customer-facing products.

This update provides a refined technical analysis of the Vimeo data breach, incorporating updated MITRE ATT&CK mappings such as T1078.004 (Valid Accounts: Cloud Accounts), T1539 (Steal Web Session Cookie), and T1580 (Cloud Infrastructure Discovery). Additionally, new cyber observables for hunting are included, focusing on specific API endpoint monitoring and user account patterns. The incident's core details remain consistent, but this article offers a slightly different analytical perspective and explicitly lists the original news sources.

Microsoft Threat Intelligence has reported on a significant AiTM phishing campaign active from April 14-16, 2026, impacting 35,000 users across 13,000 organizations, primarily in the US healthcare, financial, and professional services sectors. The attackers used sophisticated 'code of conduct' themed lures, PDF attachments, and CAPTCHA to evade detection. This campaign highlights the real-world impact of AiTM techniques, stealing session tokens to bypass MFA. New hunting hints include Azure AD Event 50126 and headless browser patterns. Microsoft also noted a 146% surge in QR code phishing.